Wireless Access

Reply
Highlighted
Frequent Contributor II

Moving APs from 6.x to 8.x - AP Unable to set up IPSec tunnel to MM

We have an existing AOS 6.5 production setup and we have a whole new set of hardware configured for AOS 8.3. So far, the new setup is ready for testing and I am trying to move an AP from the current AOS6 setup to AOS8 by changing the LMS IP of an AP. I pointed the LMS IP to the VRRP IP of the MM. Here's what's on the AP console:

 

AP rebooted Tue Jun 18 14:27:24 PDT 2019; Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_IKEV2_TIMEOUT
shutting down watchdog process (nanny will restart it)...
MVP Guru

Re: Moving APs from 6.x to 8.x - AP Unable to set up IPSec tunnel to MM

The MM doesn’t support APs , you need to change LMS IP so that the APs build the tunnel with the Mobility Controller (Manage Nodes)





Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: Moving APs from 6.x to 8.x - AP Unable to set up IPSec tunnel to MM

I see.

 

So which of the MCs. I have 2 MCs for now that is clustered. I'm still waiting for the other 2 so a total of 4 when complete. I know there's a Leader concept on the MCs but I don't know which one. Should I point it to the leader or any of the MCs will do fine?

MVP Guru

Re: Moving APs from 6.x to 8.x - AP Unable to set up IPSec tunnel to MM

How are you planning to migrate all your APs ? All at one or in phases

I recommend you have the same AP-Group names , makes things a bit easier (you can create new ones and move the APs to the new ones , once the APs are already communicating with the AOS8 controllers)

Configure VRRIP VIP between the two MCs
You have a couple of options :
- You can update the LMS-IP using VRRIP VIP on the AP-Group from the existing AOS6
- You can point the APs to aruba-master that resolves to a VRRIP VIP (don’t do this if you are planning to move your APs in phases and Aruba-master is currently in-use)
- Configure DHCP option 43 using the VRRIP VIP

Once the APs are fully provisioned on the AOS8 Cluster, all the APs will have a cluster node list with the MCs IPs


Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: Moving APs from 6.x to 8.x - AP Unable to set up IPSec tunnel to MM

I just changed the LMS IP and now pointing to one of the MC and the other MC as backup LMS IP.  The problem is stil the same where the AP can't form IPsec tunnel to the MC.    

 

My Plan of migrating all those 2000 APs is by one AP Group at a time by changing their LMS IPs. The AOS8 setup have the same AP groups just like the current AOS6 has.  

    

Right now, I only have 2 MCs but I am expecting 2 more (being shipped right now). I can create a VIP between the 2 MCs now but what happens if I add the other 2?

Guru Elite

Re: Moving APs from 6.x to 8.x - AP Unable to set up IPSec tunnel to MM

- You need to make a VIP beween the two MDs and then add the two other two MDs to the VRRP.

- Your discovery method, DNS, dhcp option 43 should point to that VIP.

- When APs discover a cluster, the list of nodes are pushed to the APs flash and upon reboot the APs no longer, discover using DNS, or DHCP or multicast:  they attempt to connect to the list of nodes in their flash. 

- There is no need to put an LMS-IP into the ap-group, because the AP is assigned a controller by the cluster leader when it connects to one of the nodes in the nodelist.

- LMS-ip is only necessary if you have more than one cluster and there is a chance that your APs will initially discover the wrong cluster and will need to be redirected to the correct one, OR you need to enter a backup-lms for redundancy to a second cluster (overkill).

 

If you have 2000 APs to migrate, I suggest you contract a VAR or work with your Aruba SE to get information on how to proceed, because there are many ways to configure things suboptimally.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
MVP Guru

Re: Moving APs from 6.x to 8.x - AP Unable to set up IPSec tunnel to MM

On the new environment make sure you have the MC controllers LMS IPs define as well.

Also click save configuration on the master so the config is pushed


Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: Moving APs from 6.x to 8.x - AP Unable to set up IPSec tunnel to MM

It turned out that the problem was ALE qos issue. I was able to terminate 2 APs now to AOS8 by changing the APs LMS IP on the AOS6 pointing to one of the MCs.

 

However, I think I did the design all wrong. All of the boxes (2 MM + 2 MCs) are all in one VLAN. The 2 MM got a VIP within that VLAN. I thought  APs needs to find this VIP for the discovery but it turns out that APs have to find the MC's instead. Now it seems that AOS8 doesn't allow me to make VRRP for the 4 MCs  within that same VLAN.    

        

What's a good practice here? Should the 2 MM stay in there own subnet and the 4 MCs on their own?

 

Thanks

MVP Guru

Re: Moving APs from 6.x to 8.x - AP Unable to set up IPSec tunnel to MM

I always try to keep those separate from segment/VLAN perspective , I think you will see much better performance

And you will not see much benefit for having the MM and MD on the same VLANs

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Moving APs from 6.x to 8.x - AP Unable to set up IPSec tunnel to MM

As Victor mentions, usually they are separated, but you can certainly put all the MMs and MCs in the same VLAN, you just have to make sure you're tracking all the VRRP IP, as the cluster configuration will use the higher numbered VRRP IPs and IDs. I keep my MM VIPs low to avoid that. But in the vast majority of deployments, the MMs end up on different vlans from the MCs.


Jerrod Howard
Distinguished Technologist, TME
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: